Pwn2Own takes down IE 10 running on a Surface Pro

Chrome and Firefox go down, and to no one's surprise, Java also falls.

Browser security took a drubbing during the first day of an annual hacker contest, with the latest versions of Microsoft's Internet Explorer, Google's Chrome, and Mozilla's Firefox all succumbing to exploits that allowed attackers to hijack the underlying computer.

The Pwn2Own contest, which is sponsored by HP's Tipping Point division, paid $100,000 for the successful exploitation of IE 10 running on a Surface Pro tablet powered by Windows 8. The attack was impressive because it was able to bypass a variety of anti-exploit technologies Microsoft has added to its flagship operating system and browser over the past decade. To succeed, researchers from France-based Vupen Security had to combine multiple attacks, a technique that is growing increasingly common.

"We've pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass," the firm announced by Twitter on Wednesday.

Day 1 also saw the full compromise of Chrome 25 on Windows 7, another impressive feat because it also required contestants to bypass security defenses Google developers have invested considerable resources in. The exploit also fetched its creators $100,000.

"We showed an exploit against previously undiscovered vulnerabilities in Google Chrome running on a modern Windows-based laptop," the winning, two-man team from MWR Labs wrote in a blog post. "By visiting a malicious webpage, it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process. We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges."

Firefox and a browser plugin for Oracle's Java software framework were also felled, fetching contestants $60,000 and $20,000 respectively for the exploits. Several other applications, including Adobe's Flash and Reader programs and Apple's Safari browser, remained untouched during the first day. The contest runs through Friday.

Now in its eighth year, Pwn2Own wields big cash payouts and whitehat prestige to simulate the financial incentives found in decidedly less-ethical hacking environments. The ultimate takeaway has always been that no software package is immune to crippling exploits that allow attackers to surreptitiously install malware when end-users visit innocuous-looking websites. But as the contest has evolved, it has strived to forge a reward system that mimics the underground economy where blackhats buy and sell attacks.

While not precise, prizes are intended to reflect the relative difficulty of devising a working exploit for a given program running on a particular operating system. Rewards this year are:

Promoted Comments

Will they be testing iOS, or is that trivial, as evidenced by various jailbreaking methods?

Jailbreaks are anything but trivial. It takes the finest minds in exploitation months to put a reliable one together and the current one can only be done with physical access and knowing the device PIN if any. That's well outside pwn2own goals of remote exploitation. Comex had this sort of jailbreak once (loading a PDF in Safari) but not currently.

Thanks, I didn't mean to imply that the jailbreak itself is trivial to attain, just that once it is out it seems easy to apply. Though I must confess, I only gather that from recent headlines about untethered jailbreaks. I wasn't aware of the physical access and PIN requirements, that's good to know.

I'm not trying to troll, I'm only asking as more and more enterprises and hospitals are deploying iPads, it is important to know how the actual security works in practice.

On one hand, Apple talks about highest security compliance, and on the other hand there is a jailbreak available for the masses. (I remember the PDF jailbreak, and wonder if the new one can be exploited maliciously.) So when administration asks "are iPads secure to deploy", what would be a realistic answer?

There is always the possibility of bad security holes, but I don't think that the existence of the iDevice jailbreaks makes them particularly insecure. Installing the jailbreak definitely changes the device security, but to do so takes an amount of directed effort. Although "drive-by" jailbreaks have existed in the past (and who knows, a new vulnerability may be discovered which allows it in the future), the current jailbreaks require tethering to a computer and couldn't be done accidentally.

To shift without the clutch: A golf-clap to Aurich, the visualization is great! I especially like the broken window.

I would congratulate Safari for surviving the first day unscathed, but Adobe Flash and Reader survived as well. That makes me assume that their survival is due to scheduling decisions by the various teams rather than inherent security.

Except despite still being highly targeted platforms, the sandboxing in both Flash and Reader are quite robust. I believe it took almost 2 years for someone to finally pierce Reader's Sandbox.

Preconceived notions seem to take a long time to die.

that's true, but there's a distinct difference between a preconceived notion and an established track record of insecurity. adobe and oracle both seem to have the latter.

But unlike Oracle, Adobe has taken dramatic steps to try and curtail the exploits. They even got assistance from Microsoft in developing the sandbox for Flash and Reader. Reader XI even added OTB support for ASLR mitigations.

I think all browsers have exploits. Like every complex program they are expected to contain all kinds of bugs. Companies and developers should actively look for any security holes and fix them ASAP. Chrome maybe isn't perfect, but Google built very reliable update mechanism and fix all holes very quickly. Now compare it with Oracle and its Java plugin...

Not shabby that Chrome's exploit required a Windows exploit to break the sandbox. Last year it only took a day or two for them to patch, I wonder how quick it'll be this year ...

It wasn't clear to me if that was the case or not.

"We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges"

Does system privileges mean running as the system account or simply meaning they could execute commands against the system outside of chrome using the kernel exploit? Meaning when they say elevated privileges, was that something elevating them to root/admin access or simply meaning they had to elevate using the expolit to get specifically to user level access outside the sandbox?

Given the recent history of Java I would have expected the payout in the 4 digits only. I do wonder if the payouts are high enough to lure hackers to disclose their findings here as opposed to going blackhat.

While not precise, prizes are intended to reflect the relative difficulty of devising a working exploit for a given program running on a particular operating system.

Quote:

Quote:

Oracle Java ($20,000)

Yep.

A part of me wonders why they don't just disable the browser plugin by default and make it opt-in.

Another part of me wonders why Java has so many security issues that Flash doesn't. Admittedly I don't know flash as well as Java, but I don't get the impression that Java has a whole lot of functionality that Flash (ActionScript in specfic) doesn't.

Will they be testing iOS, or is that trivial, as evidenced by various jailbreaking methods?

Jailbreaks are anything but trivial. It takes the finest minds in exploitation months to put a reliable one together and the current one can only be done with physical access and knowing the device PIN if any. That's well outside pwn2own goals of remote exploitation. Comex had this sort of jailbreak once (loading a PDF in Safari) but not currently.

Another part of me wonders why Java has so many security issues that Flash doesn't. Admittedly I don't know flash as well as Java, but I don't get the impression that Java has a whole lot of functionality that Flash doesn't.

It's not necessarily that Java has more security flaws. It's also that Java is a general-purpose programming language, so finding any security flaw that lets you evade the sandbox almost immediately lets you do anything you want--cross-platform.

If you find a flaw in Flash, you still have to find your way to platform-specific routines that let you actually cause harm. If you find a flaw in Java, they're all at your disposal.

I would congratulate Safari for surviving the first day unscathed, but Adobe Flash and Reader survived as well. That makes me assume that their survival is due to scheduling decisions by the various teams rather than inherent security.

Will they be testing iOS, or is that trivial, as evidenced by various jailbreaking methods?

Jailbreaks are anything but trivial. It takes the finest minds in exploitation months to put a reliable one together and the current one can only be done with physical access and knowing the device PIN if any. That's well outside pwn2own goals of remote exploitation. Comex had this sort of jailbreak once (loading a PDF in Safari) but not currently.

Thanks, I didn't mean to imply that the jailbreak itself is trivial to attain, just that once it is out it seems easy to apply. Though I must confess, I only gather that from recent headlines about untethered jailbreaks. I wasn't aware of the physical access and PIN requirements, that's good to know.

I'm not trying to troll, I'm only asking as more and more enterprises and hospitals are deploying iPads, it is important to know how the actual security works in practice.

On one hand, Apple talks about highest security compliance, and on the other hand there is a jailbreak available for the masses. (I remember the PDF jailbreak, and wonder if the new one can be exploited maliciously.) So when administration asks "are iPads secure to deploy", what would be a realistic answer?

Will they be testing iOS, or is that trivial, as evidenced by various jailbreaking methods?

Jailbreaks are anything but trivial. It takes the finest minds in exploitation months to put a reliable one together and the current one can only be done with physical access and knowing the device PIN if any. That's well outside pwn2own goals of remote exploitation. Comex had this sort of jailbreak once (loading a PDF in Safari) but not currently.

Thanks, I didn't mean to imply that the jailbreak itself is trivial to attain, just that once it is out it seems easy to apply. Though I must confess, I only gather that from recent headlines about untethered jailbreaks. I wasn't aware of the physical access and PIN requirements, that's good to know.

I'm not trying to troll, I'm only asking as more and more enterprises and hospitals are deploying iPads, it is important to know how the actual security works in practice.

On one hand, Apple talks about highest security compliance, and on the other hand there is a jailbreak available for the masses. (I remember the PDF jailbreak, and wonder if the new one can be exploited maliciously.) So when administration asks "are iPads secure to deploy", what would be a realistic answer?

There is always the possibility of bad security holes, but I don't think that the existence of the iDevice jailbreaks makes them particularly insecure. Installing the jailbreak definitely changes the device security, but to do so takes an amount of directed effort. Although "drive-by" jailbreaks have existed in the past (and who knows, a new vulnerability may be discovered which allows it in the future), the current jailbreaks require tethering to a computer and couldn't be done accidentally.

To shift without the clutch: A golf-clap to Aurich, the visualization is great! I especially like the broken window.

I would congratulate Safari for surviving the first day unscathed, but Adobe Flash and Reader survived as well. That makes me assume that their survival is due to scheduling decisions by the various teams rather than inherent security.

Except despite still being highly targeted platforms, the sandboxing in both Flash and Reader are quite robust. I believe it took almost 2 years for someone to finally pierce Reader's Sandbox.

Not shabby that Chrome's exploit required a Windows exploit to break the sandbox. Last year it only took a day or two for them to patch, I wonder how quick it'll be this year ...

did it require a Windows exploit or was that the next step after escaping the sandbox?

"We showed an exploit against previously undiscovered vulnerabilities in Google Chrome running on a modern Windows-based laptop. By visiting a malicious webpage, it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process."

I would congratulate Safari for surviving the first day unscathed, but Adobe Flash and Reader survived as well. That makes me assume that their survival is due to scheduling decisions by the various teams rather than inherent security.

Except despite still being highly targeted platforms, the sandboxing in both Flash and Reader are quite robust. I believe it took almost 2 years for someone to finally pierce Reader's Sandbox.

Preconceived notions seem to take a long time to die.

that's true, but there's a distinct difference between a preconceived notion and an established track record of insecurity. adobe and oracle both seem to have the latter.

Given the recent history of Java I would have expected the payout in the 4 digits only. I do wonder if the payouts are high enough to lure hackers to disclose their findings here as opposed to going blackhat.

The fact that the number of disclosed vulnerabilities in Java is high recently, doesn't mean that it's easy to find them. If you look closer, you will notice that the bulk of these recent vulnerabilities comes from Security Explorations company, whose CEO is a former member of LSD hackers team that started studying Java security back in 1990's. So the high number of vulnerabilities discovered recently is probably the result of the guy's huge experience with Java and security, rather than an indication that it is *easy* to find security holes in Java. Therefore, no reason to make the payout lower (I actually think the $20.000 they offer is surprisingly low).

I would congratulate Safari for surviving the first day unscathed, but Adobe Flash and Reader survived as well. That makes me assume that their survival is due to scheduling decisions by the various teams rather than inherent security.

Except despite still being highly targeted platforms, the sandboxing in both Flash and Reader are quite robust. I believe it took almost 2 years for someone to finally pierce Reader's Sandbox.

Preconceived notions seem to take a long time to die.

that's true, but there's a distinct difference between a preconceived notion and an established track record of insecurity. adobe and oracle both seem to have the latter.

But unlike Oracle, Adobe has taken dramatic steps to try and curtail the exploits. They even got assistance from Microsoft in developing the sandbox for Flash and Reader. Reader XI even added OTB support for ASLR mitigations.

given that the prize is lower for safari, it indicates, roughly, the difficulty level. also, that ie and chrome has 100k prize pretty much guarantees these will be first targets. or simply a scheduling thing. if i were participating, i'd focus my effort on the big money.

given that the prize is lower for safari, it indicates, roughly, the difficulty level. also, that ie and chrome has 100k prize pretty much guarantees these will be first targets. or simply a scheduling thing. if i were participating, i'd focus my effort on the big money.

It's more likely got something to do with the fact that Apple finally stopped including insecure plugins by default, like Flash and Java.

If you go back and look at what took down Safari over the years, it often had to do with the exploit of somebody else's tech that was included in a default install of Mac OS.

Another part of me wonders why Java has so many security issues that Flash doesn't. Admittedly I don't know flash as well as Java, but I don't get the impression that Java has a whole lot of functionality that Flash doesn't.

It's not necessarily that Java has more security flaws. It's also that Java is a general-purpose programming language, so finding any security flaw that lets you evade the sandbox almost immediately lets you do anything you want--cross-platform.

If you find a flaw in Flash, you still have to find your way to platform-specific routines that let you actually cause harm. If you find a flaw in Java, they're all at your disposal.

Guess I should clarify, when I say Flash, I really mean ActionScript, which is a general-purpose programming language that is part of Flash